Authors: Christopher Kim, Randy McEoin
While cybercriminals are often portrayed as gangs of hackers or lone brilliant coders, more often they buy and sell goods and services as part of a larger criminal economy. For example, some actors sell malware services, and malware-as-a-service (MaaS) allows buyers easy access to the infrastructure necessary to commit crimes. These service providers also form strategic partnerships, similar to the way legitimate companies do, in order to extend the limits of their current operations. Such relationships are forged in secret and may include a number of partners, making them difficult to untangle and understand from an outside perspective. Researchers refer to these relationships as affiliations and although they are known to exist, their details largely remain a mystery.
In this paper, we unveil a set of large-scale malicious relationships involving VexTrio, ClearFake, SocGholish, and many other unnamed actors. This research was completed in collaboration with security researcher Randy McEoin, who discovered ClearFake and has studied SocGholish extensively.1 While SocGholish and ClearFake are most associated with malware and fake software update pages, they operate traffic distribution systems (TDSs) that route users based on the victim’s device, operating system, location, and other characteristics. VexTrio also operates a TDS that routes compromised web traffic sourced from affiliates, as well as their own infrastructure, to various forms of malicious content. This paper focuses on the actors’ TDS enterprises. We concluded that these three actors have strategic partnerships in which SocGholish and ClearFake pass victims to VexTrio.
While ClearFake emerged relatively recently, VexTrio and SocGholish have been operating since at least 2017 and 2018, respectively.2,3 We have been tracking VexTrio for nearly two years and first published on the actor in June 2022.4 At the time, we knew they were an unrecognized, pervasive part of the cybercrime economy. However, we didn’t fully appreciate the breadth of their activities and depth of their connections within the cybercrime industry. VexTrio may have gone unrecognized or ignored by the security community for so long because they aren’t tied to a specific malware, and instead are traffic brokers at their core. This is unfortunate for customers, because blocking VexTrio protects them from all manner of harm, a fact made even more clear as a result of our research.
VexTrio is the single most pervasive threat in our customers’ networks. Operating a massive network of its own, VexTrio is seen in more networks than any other actor and accounts for the most threats by query volume of any actor. Of their more than 70k known domains, nearly half have been observed in customer networks. We have seen VexTrio activity in as much as 19% of networks on a single day since 2020, and in over half of all customer networks in the last two years. Through our collaboration, we were able to determine that VexTrio is even older than we had previously estimated. Furthermore, it is now clear that the reason VexTrio is so widely observed is that they broker traffic for many cybercriminals, with at least 60 affiliates. VexTrio’s connectivity and persistence in the cybercrime industry is evidenced by their appearance in various publications that have unwittingly caught glimpses of their infrastructure and referenced their activity, including:
- the distribution of Glupteba malware, as reported by Nozomi Networks,5
- delivering victims to tech support scam pages, as reported by Sucuri,6 and
- the distribution of significant malicious content, as reported in general research on TDS behaviors by Palo Alto Networks, SUNY Stony Brook, and Carnegie Mellon University.7
Our research highlights the important role of TDS enterprises in the estimated $8 trillion cybercrime economy. The term traffic distribution system, or traffic delivery system, was lifted from the marketing industry, where the choice of an effective TDS is considered critical to the success of a business and is performed through affiliate marketers. In website marketing, a TDS has been described as a system of scripts that analyzes web traffic and, according to rules set by the webmaster, gives an appropriate response or redirection.8 More broadly, a TDS connects traffic sources, e.g., pages visited by a consumer, with destinations, e.g., advertisements. The traffic broker matches sources with destinations based on financial gain. Other researchers have previously shown that shady TDS operators are responsible for delivering consumers a wide array and large volume of malicious content, not just advertisements.9
In addition to the revelation that ClearFake and SocGholish are VexTrio affiliates, our research has generated a number of other major findings. In particular:
- VexTrio has at least 60 affiliate partners, making them the single largest malicious traffic broker described in security literature.
- VexTrio operates their affiliate program in a unique way, providing a small number of dedicated servers to each affiliate.
- VexTrio’s affiliate relationships appear longstanding. For example, SocGholish has been a VexTrio affiliate since at least April 2022. While less total time, we assess ClearFake has worked with VexTrio throughout its lifetime; at least since launching their campaigns in August 2023.
- VexTrio attack chains can include multiple actors. We have observed four actors in an attack sequence.
- VexTrio and its affiliates are abusing referral programs related to McAfee and Benaughty.
- VexTrio controls multiple TDS networks, which function in different ways. In particular, we reveal a new DNS-based TDS first observed in late-December 2023.
- VexTrio domain generation schemes continue to evolve. Simply relying on a static list of words or top-level domains (TLDs) based on domain history is an ineffective approach for comprehensively detecting VexTrio domains, the known number of which exceeds 70,000.
- VexTrio has made a major shift from dedicated hosting and name servers to shared providers. Since Infoblox’s first publication of VexTrio, over 55% of VexTrio domains that were once assigned to dedicated infrastructure have migrated to shared hosting.
The security industry seems to overlook TDS operators, so our intentions with this publication are to reveal newly discovered affiliations in the cybercriminal ecosystem that victimize consumers across the globe, and to raise awareness of the critical role of TDSs in criminal operations. We have found that breaking the attack chain at the point of traffic distribution disrupts far more malicious activity than locating final landing pages and blocking malware signatures one-by-one. In many cases, TDS domain names are labeled by the security industry as adware, potentially unwanted programs (PUPs), or media sharing, when in fact, they are responsible for delivering victims to a variety of bad actors. Increased cooperation across the industry to study, uncover, and block malicious TDS providers would create a more difficult playing field for the adversaries, just as disrupting drug trafficking operations at their distribution centers is more effective than arresting sidewalk dealers.
Traffic Distribution Systems
The term traffic distribution system (TDS), sometimes also called a traffic delivery system, arises from the marketing industry. According to LeadBit, a long-established marketing company, the need for TDS in affiliate marketing comes from the necessity of making a fast decision about where to route a user. In a blog describing TDS benefits, they state that “even traffic from a well-targeted context is diverse, both in terms of geo and in the browser, device type, and other parameters. You get literally a fraction of a second to decide where you are going to redirect your visitor.”10 A TDS is a system that handles traffic management to determine where to route visitors for the most profit. The traditional marketing TDS is a set of scripts and databases hosted on one or more servers that determines how to route a user based on some set of established rules.
At Infoblox, we have observed a number of variations on the marketing TDS concept including ones that are entirely based in DNS and make decisions solely based on the requester’s IP address. A TDS can be developed by a domain owner, but many free and commercial options also exist. We have seen actors, like VexTrio, who appear to manage their own system, while others take advantage of established cloud-based TDS offerings. For example, ClearFake is known to use Keitaro, a commercial TDS with a free offering.
According to LeadBit, a TDS is “vitally important to those who deal with significant traffic flows, especially of variable quality, or with traffic that is mixed in terms of target audience, location and other parameters.” With the massive number of compromised WordPress sites that exist on the internet, gaining the most from visitors to those sites makes the use of a TDS a natural option for threat actors. A TDS redirects the user to another domain, typically an affiliate landing page, but possibly another TDS. The content of the final landing page is determined by so-called publishers. Threat actors have mirrored all aspects of the advertising industry for malicious purposes.
TDS servers play a crucial role in VexTrio’s affiliate network, as they can make or break business operations. The manner in which VexTrio configures and manages their TDS servers is critical to why VexTrio has continued to thrive and persist for so long in the threat landscape. A TDS is responsible for analyzing a victim’s profile, including browser settings and cached data. If their profile matches VexTrio’s target criteria, a TDS will redirect that web visitor to illegitimate content. This function is extremely powerful and provides the threat actor with the following benefits:
- Filters inbound traffic so that web visitors are only those that meet the actor’s target profile,
- Functions as a load balancer and preserves computing resources for valid targets,
- Provides protection to VexTrio’s downstream downstream threat actors and landing pages against security researchers and botnets, and
- Keeps metrics on affiliate referrals to the network and enables VexTrio to credit their contributions.
A VexTrio attack chain can include multiple TDSs and actors. Each TDS, whether controlled by an affiliate or VexTrio themselves, may incorporate multiple servers or third-party services. VexTrio operates multiple types of servers within their TDS; we will discuss those later in the paper. Collectively, these servers initiate and control the entire flow of web traffic from end-to-end. For enterprises seeking to protect their employees, blocking the TDS domains at the DNS level is a great defensive strategy since they are the gateway to malicious content. When this is done, regardless of the number of compromised web pages, or how many malicious sites are created, the activity is thwarted.
VexTrio’s Business Model
VexTrio’s affiliate program operates similarly to legitimate marketing affiliate networks. Generally, each attack involves infrastructure owned by multiple entities. Participating affiliates forward traffic originating from their own resources (e.g. compromised websites) to VexTrio-controlled TDS servers. Subsequently, VexTrio conditionally relays these flows of traffic to other actors’ nefarious content or to other malicious affiliate networks. In many cases, VexTrio also redirects victims to campaigns that they operate directly. Figure 1 illustrates these service transactions between such cybercriminal entities.
VexTrio has been connecting website visitors to malicious content for at least six years. Their long-term survival is a testament to their successful business model; one that feeds on a never-ending source of web traffic from a large pool of affiliate contributors, as well as from their own infrastructure built on websites they have compromised. The following key practices have enabled VexTrio to evade detection and have strengthened their resilience against internet service provider efforts to suspend their assets.
- Directly compromising vulnerable websites to maintain their own independent sources of web traffic,
- Obtaining web traffic from other cybercriminals to maximize target outreach,
- Growing and diversifying the affiliate network to mitigate possible takedowns: the removal of several affiliate members will not halt VexTrio’s business,
- Performing normal business functions, such as tracking affiliate referrals and crediting affiliates for their traffic contributions,
- Filtering traffic using a multi-stage TDS redirect chain,
- Using URL query parameter names that overlap with referral links commonly used by legitimate and authentic affiliate networks, and
- Registering large quantities of domains daily that are dynamically generated via a dictionary domain generation algorithm (DDGA), a specific form of a registered DGA (RDGA).
When investigating HTTP-based logs, security operations center (SOC) teams might easily dismiss VexTrio activity as benign advertising traffic due to its behavioral similarity with innocuous affiliate networks. VexTrio’s use of URL query parameter names that overlap with common advertising affiliate keywords, such as Urchin Tracking Module (UTM), as well as lookalike TDS domains that infringe technology brands, pose further challenges for SOC teams and researchers considering whether to indict VexTrio domains. Additionally, the multiple-redirections between domains that share neither naming patterns nor hosting infrastructure complicates relationship analysis. Ultimately, we stepped back from investigating individual attacks and shifted to high-level DNS analysis. This enabled us to automate VexTrio detection and thereby gain a fuller understanding of the breadth of their affiliate network.
Variations within VexTrio’s TDS
VexTrio’s network uses a TDS to consume web traffic from other cybercriminals, as well as sell that traffic to its own customers. They also serve the traffic to malicious campaigns they directly operate. VexTrio’s TDS is a large and sophisticated cluster server that leverages tens of thousands of domains to manage all of the network traffic passing through it. So far, we’ve seen two types of servers that comprise the TDS. The most common type is an HTTP-based web server that handles URL queries with different parameters. VexTrio has used HTTP servers since at least 2017. The second and recently introduced type is a DNS server that only responds to TXT resource record queries with a specifically-formatted FQDN. As far as we know, the earliest instance of a VexTrio attack that involved a DNS server occurred July 17th, 2023.11
The VexTrio network provides its affiliates an HTTP-based web gateway that they can forward compromised traffic to. This system enables VexTrio to track the origin of traffic and redirect them based on various criteria set by the actor. These web servers are designed to accept and respond to HTTP GET requests. They run an application that is capable of parsing values assigned to the URL parameters keys. The values extracted from the query strings are provided by the affiliate that referred the victim to VexTrio and serve as crucial information for attribution.
Based on our observations, VexTrio exclusively redirects traffic sent from this affiliate to their malicious dating webpages. The VexTrio dating campaigns have been active since 2017, and use landing pages similar to the one in Figure 4 below.
When we deobfuscated this code block, we realized it was making a DNS query to a malicious VexTrio DNS TDS server: logsmetrics[.]com (see Figure 6 below). VexTrio sent this DNS query via Google’s public DNS service (dns[.]google). This method is also known as DNS over HTTPS (DoH) and involves transmitting DNS information over the HTTPS protocol. The HTTPS request to Google’s public DNS service used the following URL:
The query parameter values instruct Google to send a DNS call to <compromised_site>.<ip>.<rand_num>.logsmetrics[.]com, and this subdomain contains information about the victim and traffic source. In this instance, the DNS TDS server returned the next stage VexTrio TDS URL:
DoH methods are effective at bypassing DNS-based security solutions and instances of blocking from DNS firewalls. Furthermore, VexTrio’s use of Google’s Public DNS means that it can easily evade most HTTP-based security rules. Organizations that do not operate their own DNS or employ a dedicated DNS provider are unlikely to filter dns[.]google from their networks since it may disrupt business-critical systems. As shown in Figure 7, at the time of this investigation, no security vendors on VirusTotal flagged logsmetrics[.]com as a malicious record.
A large number of cybercriminals have participated in VexTrio’s affiliate network over the last six years. During this time, VexTrio’s tactics, techniques, and procedures (TTPs) have evolved significantly. However, their mechanism for tracking affiliate activities remains largely the same. VexTrio uses URL query parameters to understand the source, infrastructure, responsible affiliate member, and campaign associated with the web traffic sent to its TDS. Throughout the history of VexTrio, we’ve identified several tracking parameters: u=, o=, t=,, m=,, f=, fp=, and utm_campaign=.
Based on analysis of the URL patterns, we assess that the u and o parameter values together represent a unique affiliate member. Incorporating public records into the research, we’ve uncovered over 60 unique u and o value combinations thus far. The total number of affiliate participants across the full history of VexTrio is likely to be far greater than this number.
Affiliates send web traffic to a limited number of VexTrio TDS servers throughout their partnership. Presumably, the network assigns a certain set of servers for each affiliate that are not exclusive to them. For example, over the past five months, the ClearFake actor has forwarded victim traffic to a small set of VexTrio TDS domains with the constant parameter values t=popunder&o=apqk0hv&u=nlq8mwa. Typically, affiliate programs authorize participating members to automatically fetch a list of current servers via an API. Given these standard practices in legitimate marketing programs, it seems likely that VexTrio also uses an API.
The following subsections provide an overview of several VexTrio affiliates. There are too many participants in the network to describe them all in this blog, so we’ve compiled actors that are either well-recognized in the cybersecurity community or that show unique and interesting qualities.
On August 25th, 2023, Randy discovered the malware while investigating an oddly behaving workstation at his company. The machine that was impacted made network connections to a known VexTrio domain bonustop-price[.]life. This domain did not follow the typical VexTrio redirect chain, but rather displayed a compromised website attempting to lure users with a fake Chrome browser update.
Based on this observation, we know that ClearFake has been an affiliate of VexTrio for at least five months. Unlike most interactions between VexTrio and its affiliates, ClearFake does not perform an HTTP 302 redirect to VexTrio TDS servers. Instead, it takes advantage of a commercial TDS called Keitaro. ClearFake launches a front browser window, runs a Keitaro application and redirects to the VexTrio TDS URL. As an example, on December 7th, 2023, Randy observed the following attack sequence involving both actors:
- The injected code calls the API of popular cryptocurrency exchange platform Binance
- ClearFake TDS running Keitaro is called
- The response from Keitaro is a redirection to VexTrio TDS
The ClearFake actors injected two script blocks into the index HTML page of the compromised website. The first block loaded a cryptocurrency library that enabled the malware to interact with the Binance Smart Chain (BSC) blockchain network. The second block was encoded in Base64, a common technique among cybercriminals for obscuring malicious code from website owners and threat researchers (see Figure 8).
ClearFake Keitaro TDS servers exclusively redirected website visitors to VexTrio TDS endpoints from December 5th to the 7th. Since then, ClearFake activities have declined and we have yet to observe the typical delivery of a fake Chrome update executable. Recent attack chains have redirected to either the VexTrio infrastructure or to shady gambling web pages (prom-gg[.]com and go[.]clicksme[.]org).
The following describes an instance where SocGholish redirected website visitors using macOS devices to the VexTrio network. This activity, which occurred on December 16th, 2023, is a notable example of how certain threat actors will treat all web traffic as a potential business opportunity.
- Due to the multiple injections, there is a race condition where potentially any one of them will complete their execution first and engage the next stage
- An HTTP request to a SocGholish Keitaro TDS is made
- If the User-Agent is MacOS based, the response will instead be to the same Keitaro TDS, but a different path
- This second Keitaro call will respond with a 302 redirect to a VexTrio TDS
- hXXps://machinetext[.]org/3kLWqNMc – stage 2 TDS path that redirects to VexTrio TDS
Across all SocGholish compromised sites, injections that reference the domain machinetext[.]org will always point to the /q7RzzRnM path. Besides filtering out anything that helps avoid detection from security solutions and threat researchers, its purpose is also to differentiate Windows from macOS systems.
Finally, the stage 2 Keitaro /3kLWqNMc path responded with the HTTP 302 redirect to the following VexTrio TDS:
Similar to ClearFake, the u/o parameter value combination assigned to SocGholish is unique. This helps with attribution and uncovering a usage timeline. Based on those unique u/o parameter values, SocGholish has been redirecting to VexTrio since at least April 2022. Figure 15 below shows a complete Fiddler capture of the attack chain: beginning with the compromised website redirecting to the SocGholish TDS, the VexTrio TDS, and finally to VexTrio’s fraudulent robot-captcha content.
This affiliate registers lookalike domains that imitate popular internet profile entities and use generic keywords. The actor allocates a portion of these domains for redirecting web traffic to affiliate networks such as VexTrio. Such domains consistently use the subdomain name “tiktok” (e.g. tiktok[.]megastok[.]top) and redirect to the same VexTrio TDS (prizes-topwin[.]life) that is used by ClearFake. This TDS domain has largely redirected web traffic to VexTrio’s dating and robot CAPTCHA campaigns. When website visitors don’t meet VexTrio’s target conditions, they are redirected to the default Tinder app download page on the Google Play Store.
VexTrio is a prolific DNS threat actor that registers a very large number of domains to carry out widespread attacks across the globe. They often leave a substantial footprint in our network logs due to their methods of operation, enabling us to extensively study their activities and identify DNS patterns over the last two years. Infoblox solutions use DNS signatures to detect and block VexTrio domains proactively. Recently, the actors have migrated a large portion of their infrastructure to shared hosting providers, making them more difficult to track. However, these domains continue to show unique characteristics that our detectors can pick up. In this section, we share details about VexTrio domain patterns, as well as their behavior in DNS.
DDGA domains play a vital role in the VexTrio network. These domains are multipurpose and can function either as a TDS or a host for malicious content as we will describe in the later Campaigns section. VexTrio’s use of a DDGA is a major contributing factor to their success as an affiliate network and their survival in cyberspace. Their large and ever-growing collection of domains makes it difficult for internet providers to bring their infrastructure down. We described the DDGA algorithm in our previous publications; here, we provide a statistical description of the changes we’ve seen since our last report.
VexTrio’s DDGA dictionary continues to grow. Thus far, we’ve extracted 4518 unique words from our historical DDGA detections. Note that it is difficult to build a word extractor that can accurately find all words within a domain name. The task is even more difficult to accomplish when the actor includes short, two-letter words. Generally, words that VexTrio introduced early in their dictionary show a higher usage count across all DDGA domains, as seen in the Figure 17 word cloud. Some domains show a much higher usage than their sibling words despite being added to the dictionary around the same time period. This indicates that VexTrio’s DDGA algorithm is not entirely randomized or they have discarded some words from their dictionary (e.g. the word “table” has not been seen in VexTrio DDGA domains since February 5th, 2023).
We determine when a new word has been added to VexTrio’s dictionary by finding the domain with the earliest registration date that uses the word in its name. Figure 18 below shows the frequency of newly added words in comparison to the domain creation dates. This activity is another example of VexTrio’s continuous evolution. The actors are constantly updating their TTPs and toolkits, as well as their selection of domain names and TLDs. That is why simply relying on a static list of words or TLDs based on domain history is an ineffective approach for comprehensively detecting VexTrio domains.
One of the biggest observed changes in VexTrio’s infrastructure since our first report has been the mass migration of domains from dedicated servers to shared hosting. This is a significant effort and change in TTPs by the actor to thwart detection from security systems. In Figure 19 below, we have visualized this DNS re-configuration. The nodes (or black dots) on the diagram represent either a VexTrio DDGA domain, a TDS domain, or a dedicated name server. The red edges that connect the nodes represent the domains that were hosted on VexTrio’s dedicated servers at some point in time. A blue edge indicates that the domain resolves to a shared hosting service provider. Over time, we can see that a large number of VexTrio assets migrated from dedicated hosting to shared hosting (e.g. Cloudflare, NameSilo, and OVH).
In addition to shared hosting, VexTrio has migrated from dedicated name servers to shared name servers. As of now, over 55% of VexTrio-controlled domains that were once served by dedicated name servers have switched to shared name servers. Figure 20 is a comparison of domains that are currently on shared infrastructure (blue edges) to all of the domains that were historically assigned to dedicated name servers (pink edges). Although not clearly visible in the diagram, less than 1 percent of VexTrio domains are assigned to parking services (represented by green edges). Typically, threat actors that operate disposable DDGA domains use them very briefly. VexTrio, on the other hand, constantly re-uses their DDGA domains. For example, we’ve observed DDGA domains that were created in early 2022 re-used many times in 2023. The miniscule number of domains repurposed to parking over the last two to three years highlights VexTrio’s common practice of retaining ownership of their domains for long periods of time.
Obfuscation and Lookalike Domains
Injections From Multiple Actors
Many affiliates use URL shorteners for redirecting victim traffic to the VexTrio network. These affiliates generate a shortened URL version of either their own TDS URL or a VexTrio TDS URL. They accomplish this by using a legitimate URL shortener service such as TinyURL or X (formerly known as Twitter). Unlike compromised websites that may have accrued regular website visitors over its history, shortened URLs are unknown to the rest of the world when actors generate them. Typically, these URLs do not receive web traffic aside from the actor. Similar to most spam email campaigns, it is likely that these affiliates conduct email campaigns that convince recipients to click on a shortened URL disguised as a harmless link. In the network traffic logs we’ve observed, the shortened URLs initiate the redirect chain and the victim does not visit a compromised website. The following are some examples of shortened URLs used in recent VexTrio attack chains:
The VexTrio network contributes web traffic to numerous cyber campaigns. We believe some are conducted directly by the VexTrio actors themselves, based on the length of the campaign’s operation, use of specific web resources, exclusive selection of VexTrio domains, and overlap with historical VexTrio infrastructure. Each campaign has a unique theme and purpose. Presumably, VexTrio TDS servers redirect website visitors to the most relevant campaign based on their profile attributes (e.g. geolocation, browser cookies, and browser language settings). In many cases, VexTrio redirects users to benign websites such as play[.]google[.]com or benaughty[.]com (adult content). These landing sites are not malicious. Rather, VexTrio and its affiliates are abusing referral programs or confusing security inspection by adding a harmless filler. In the sections below, we describe malicious and long-running campaigns, as well as provide supporting evidence for our theory around attribution.
Our earliest and confirmed observation of VexTrio’s robot CAPTCHA campaign dates back to late 2020.19 The attack chain from this early campaign is similar to those seen more recently. The only major change has been the incorporation of a DNS-based TDS that appears to have begun in September 2023.
If the victim clicks on the allow button, the action will change the permission settings of the victim’s browser so that it can receive web push notifications from VexTrio’s servers at any time even if a browser window is not opened. Figure 26 below shows the addition of a VexTrio server URL in the notification permission settings of a Firefox browser after the user clicks on the allow button.
From this point onwards, VexTrio’s servers send push notifications to the victim’s browser client, which then processes the messages and displays them on the device screen. The position of the notification message depends on the victim’s operating system. For example, push notifications on Windows OS devices will appear at the bottom right-side of the screen. This tactic is very effective because in most cases, the end user may be unaware of the fact that notifications are caused by a browser action. Since the messages appear to be generated by the device instead of a website, users are likely to be more trustful of them and susceptible to this kind of trick as opposed to a simple website popup.
After clicking on any of the notifications, our browser took us to a McAfee product subscription page (Figure 28). Based on the URL parameters of the McAfee subscription landing pages, we are certain this redirect generates a referral commission for either VexTrio or its downstream customer.
We’ve observed other, similar robot CAPTCHA campaigns that are operated by different entities. Although other actors use the same PNG files in their presentations to victims, the VexTrio robot CAPTCHA campaign has distinct traits that have helped us with attribution. We believe VexTrio directly conducts the robot CAPTCHA campaigns based on the fact that the content is exclusively hosted on VexTrio infrastructure. We have also made the following findings:
- An earlier campaign from 2019 uses the same web template resource and a shorter variation of this translation module.20 There is a strong possibility that the current robot CAPTCHA campaign is an evolution of this.
- Our large historical DNS logs confirm that domains used in earlier robot CAPTCHA campaigns were hosted on DNS infrastructure dedicated to VexTrio.21
- The robot CAPTCHA web content and resources including the translation module are always hosted on a domain registered by the VexTrio actors.
- VexTrio continues to use Google’s Firebase Cloud Messaging (FCM) service to send web push notifications to their victims.
- After accepting push notifications at the robot CAPTCHA page, victims appear to be exclusively redirecting to VexTrio TDS.
- Beginning April 2022, the campaign evolved, and the actors introduced new robot URL paths /space-robot/ and /eyes-robot/. Previously, VexTrio used /robot4/ and /robot/ which are no longer used.
Recently VexTrio has changed their operations to use shared hosting on providers with protective services, such as CloudFlare. Additionally, they have migrated much of their previously registered domains to these internet providers. Without the complete historical context, it can be difficult to realize the connection between current robot CAPTCHA operations and those that were active many years ago.
One of VexTrio’s primary means of generating income is providing victims to other cybercriminals. In this section, we demonstrate how VexTrio TDS servers receive web traffic from an affiliate and then resell that traffic to a downstream threat actor.
To demonstrate the activity, we used a Firefox on Windows user agent and a VPN connection based in Italy. We triggered the redirect chain by visiting a possibly compromised website that is hosted on beget[.]ru, a free Russian hosting service that is heavily abused by threat actors. We were then redirected to a webpage using a fraudulent domain named hixastump[.]com. Although our browser language preference was set to German, the webpage displayed Italian text and prompted us to pass a CAPTCHA test in order to proceed on to the download page (see Figure 29). This indicates that the actor is using a translation module to dynamically update the contents of the page based on the visitor’s IP geolocation.
Once we met the CAPTCHA requirements, hixastump[.]com took us to the final landing page, which served an icon disguised as a download button for supposedly intriguing content (e.g. videos, applications, and games). However, clicking the button will instruct the victim to send a text message to the actor via a short SMS code (Figure 30). This campaign is likely conducted by a threat actor that specializes in mobile-based scam operations.
Although invisible to the naked eye, our browser made numerous network connections to fraudulent domains between the time we visited the compromised site and when we reached the landing page. Based on our network traffic capture of the fraudulent activity, we assess that there were at least four different actors involved in this attack chain, including a VexTrio affiliate, VexTrio itself, a downstream affiliate, and a fraud publisher (identified in Figure 31).
VexTrio’s advanced business model facilitates partnerships with other actors and creates a sustainable and resilient ecosystem that is extremely difficult to destroy. Due to the complex design and entangled nature of the affiliate network, precise classification and attribution is difficult to achieve. This complexity has allowed VexTrio to flourish while remaining nameless to the security industry for over six years. Furthermore, the actor has made changes to their selection of providers and obscures their activities through protective services like Cloudflare. Although difficult to identify and track, blocking VexTrio directly disrupts a large spectrum of cybercrime activity. Given their long history and adaptability, we expect they will continue to advance their capabilities and their network.
Prevention and Mitigation
Infoblox specializes in security solutions that help protect organizations against persistent DNS threat actors such as VexTrio. Using tailored DNS signatures and statistical-based algorithms, Infoblox continues to identify VexTrio’s intermediary TDS servers and DDGA domains shortly after registration. VexTrio is a large and malicious network that reaches a wide audience of internet users. Organizations should not underestimate the severity of VexTrio’s threat based on the perception that the delivered content is seemingly less dangerous than other high-profile malware.
To improve your organization’s resilience against VexTrio and similar TTPs, we recommend the following actions for protection:
- Limit web activity to secure websites that use a Secure Sockets Layer (SSL) certificate. A secure website’s URL should begin with “https” rather than plain “http.”
- Look for the green lock icon when visiting unfamiliar websites and click on the icon to review the website’s authenticity.
- Do not allow push notifications from untrusted websites.
- Subscribe to Infoblox RPZ feeds that offer protection against malicious hostnames. These feeds enable organizations to stop the connection by actors at the DNS level, as all components described in this report (compromised websites, intermediary redirect domains, DDGA domains, and landing pages) require the DNS protocol. Infoblox Threat Intel detects these components daily and adds them to Infoblox’s RPZ feeds.22
- Leverage Infoblox’s Threat Insight service, which performs real-time streaming analytics on live DNS queries and can provide high-security coverage, along with protection against threats that are based on DGAs as well as DDGAs.23
- When an attack chain is observed that includes redirection through domains that might be VexTrio or another TDS actor, proactively block the intermediate domains.
Indicators of Activity
A selection of current VexTrio indicators is available on our GitHub repo here.
|Type of Indicator
|VexTrio TDS domains with dating keywords
|VexTrio TDS domains with award keywords
|VexTrio robot CAPTCHA TDS domains
|VexTrio DNS-based TDS domains
|VexTrio TDS domain (response from DNS-based TDS)
|ClearFake TDS domains
|Gambling sites that ClearFake redirects to
|SocGholish TDS domains
|TikTok lookalike domains registered by a VexTrio affiliate
|Shortened URLs generated by VexTrio affiliate
|Anti-bot lookalike domain registered by a VexTrio affiliate
|SMS scam content domains operated by a VexTrio downstream threat actor
- Figure 3 domain claimyourprize48[.]live is VexTrio TDS. Janos Szurdi, Meng Luo, Brian Kondracki, Nick Nikiforakis, and Nicolas Christin. 2021. Where are you taking me? Understanding Abusive Traffic Distribution Systems. In Proceedings of the Web Conference 2021 (WWW ’21). Association for Computing Machinery, New York, NY, USA, 3613–3624. https://doi.org/10.1145/3442381.3450071
- Janos Szurdi, Meng Luo, Brian Kondracki, Nick Nikiforakis, and Nicolas Christin. 2021. Where are you taking me? Understanding Abusive Traffic Distribution Systems. In Proceedings of the Web Conference 2021 (WWW ’21). Association for Computing Machinery, New York, NY, USA, 3613–3624. https://doi.org/10.1145/3442381.3450071